CCI staff share recent surveys, reports and analysis on risk, compliance, governance, infosec and leadership issues. Share details of your survey with us: editor@corporatecomplianceinsights.com.
Supply chain cyber breaches affect 81% of organizations
More than four-fifths of organizations (81%) reported being negatively impacted by cyber breaches in their supply chain over the past year, though this represents an improvement from 94% in 2023, according to new research from BlueVoyant, a cyber defense company. Organizations experienced an average of 3.7 breaches during this period.
The study reveals a shift in third-party risk management priorities, with companies now focusing more on enforcement and compliance rather than basic awareness and program adoption. Despite increased investment in technology and talent, organizations continue to face significant challenges in monitoring their supply chain security, with only 32% of third-party vendors being regularly monitored.
The healthcare sector appears particularly vulnerable, with 87% of healthcare and pharmaceutical companies reporting supply chain breaches — the highest rate across all industries studied.
Other key findings:
- 86% of organizations increased their third-party risk management budgets.
- 36% of organizations have taken a more active role in working with suppliers on cyber risk remediation, up from 19% last year.
- 50% of organizations do not conduct periodic assessments of all vendors due to resource constraints.
- Healthcare organizations showed the highest rate (36%) of having no threat detection capabilities for third parties.
“While this progress also brings many new challenges, it indicates a major step in the right direction when contrasted with previous years where many organizations had poor tracking of third-party vendors, little to no leadership oversight, and virtually no collaboration when it came to remediating cyber issues,” said Joel Molinoff, global head of supply chain defense at BlueVoyant.
The study surveyed 2,100 C-suite leaders across 11 countries in North America, Europe and Asia Pacific who are responsible for supply chain and cyber risk management.
AI-enhanced attacks remain top enterprise risk concern for third straight quarter
Artificial intelligence-enhanced malicious attacks continue to be the leading emerging risk for enterprises, maintaining this position for the third consecutive quarter, according to new research from Gartner, the global research and advisory firm. The findings emerge as organizations grapple with increasing IT vendor dependencies and uncertain regulatory environments.
The study revealed two new major concerns entering the top emerging risks list: IT vendor criticality and an unsettled regulatory and legal environment. These additions reflect growing executive anxiety about over-reliance on major IT vendors and the complex implications of upcoming political events, including the U.S. election.
The research also highlighted the need for organizations to enhance their resilience against disruptions through strategic planning and risk assessment, particularly regarding political and regulatory uncertainties.
“Beyond politics, other global events, such as the July CrowdStrike outage, have raised questions about whether organizations over-rely on their largest IT vendors,” said Zachary Ginsburg, senior director of research in the Gartner risk and audit practice. “Organizations may not realize the full extent of their exposure.”
The findings are based on a survey of 286 senior risk and assurance executives and managers conducted during the third quarter of 2024, before Donald Trump’s dramatic return to the White House.
AI-powered synthetic selfies emerge as new fraud threat
Fraudsters are now creating completely synthetic “selfies” that can bypass automated identity verification systems, marking a significant evolution in identity fraud techniques, according to new research from AU10TIX, a global identity verification provider. The development represents a concerning shift, as selfie verification has historically been one of the least exploited methods of fraud.
The study found that automated bot attacks targeting social media platforms surged dramatically in Q3 2024, accounting for 28% of all attacks, up from just 3% in Q1. Many of these attacks incorporated advanced randomized generative AI elements to evade detection, particularly in attempts to create fake social media accounts at scale ahead of the U.S. presidential election.
While the payments sector saw fraud rates drop from 52% to 39% quarter-over-quarter, fraudsters shifted their focus to less regulated industries, with the cryptocurrency market accounting for 31% of attacks in Q3. The research also revealed a 20% increase in “image template” attacks, where criminals use AI to rapidly create variations of synthetic identities.
“Fraudsters are evolving faster than ever, leveraging AI to scale and execute their attacks, especially in the social media and payments sectors,” said Dan Yerushalmi, CEO of AU10TIX. “While companies are using AI to bolster security, criminals are weaponizing the same technology to create synthetic selfies and fake documents, making detection almost impossible.”
The findings are based on AU10TIX’s analysis of millions of transactions processed globally from July to September 2024.
94% of HR professionals use AI tools but 40% lack usage policies
Nearly all HR professionals (94%) are using artificial intelligence in their operations, but 40% report they either don’t have or are unsure if they have an AI acceptable use policy in place, according to new research from Traliant, a compliance training provider. The disconnect highlights growing concerns about responsible AI adoption in human resources.
The study reveals significant gaps in AI governance and training, with 21% of organizations providing no AI usage training to employees and nearly one-third (31%) failing to share any guidelines about proper AI use within their organizations. Despite these gaps, HR departments remain primarily responsible for developing AI policies and communication in half of the surveyed organizations.
Data privacy and security emerged as the top AI-related concern among HR professionals, cited by 63% of respondents, followed by compliance with data protection laws and regulations at 52%.
Other key findings:
- 94% of HR professionals currently use some form of AI in operations.
- 50% of organizations designate HR as the primary party responsible for AI policy development.
- Communications about proper AI use are lacking in nearly one-third of organizations.
“While AI brings vast opportunities for driving organizational success and fostering talent growth, it must be accompanied by clear acceptable use policies and guidelines to safely mitigate risk,” said Michael Johnson, chief strategy officer at Traliant.
The findings are based on a survey of 500 HR professionals in U.S. organizations with 100 to 1,000+ employees, conducted from Sept. 6-19, 2024.
CNAPP market surges 42% as enterprises boost cloud security spending
The cloud-native application protection platform (CNAPP) market reached nearly $700 million in the second quarter of 2024, growing 42% year-over-year as organizations intensified their focus on securing cloud workloads across multiple environments, according to new research from Dell’Oro Group, a telecommunications and security market research firm.
Runtime security dominated the market, accounting for more than half of CNAPP spending, while deployment security emerged as the fastest-growing segment, representing approximately one-third of the market, the report found. The growth in deployment security reflects increasing demand for visibility and compliance solutions specifically designed for multi-cloud environments.
The report is based on Dell’Oro Group’s analysis of CNAPP market revenue across North America, EMEA, Asia Pacific, China and Caribbean and Latin America regions.
